EXECUTIVE SUMMARY (MARINA BAY SANDS PTE LTD)

Decision
The Personal Data Protection Commission (“PDPC”) has imposed a financial penalty of $315,000 on integrated resort operator Marina Bay Sands Pte Ltd (“MBS”) for breaching the Protection Obligation under the Personal Data Protection Act (“PDPA”). The penalty was determined in accordance with the revised Financial Penalty framework introduced by the Personal Data Protection (Amendment) Bill 2021.

Incident
In October 2023, 665,495 MBS patrons had their personal data illegally accessed and exfiltrated by unknown threat actor(s). The affected data, which included names and contact details that identified MBS’ patrons, was later found offered for sale on the dark web. Such data leaks can be further exploited in phishing scams or identity theft.

Cause
MBS admitted to breaching the Protection Obligation by failing to take reasonable security measures to protect the personal data in its possession. This occurred during a large-scale software migration exercise in March 2023.

It was necessary for MBS to ensure that security policies (eg. who could access the data) were applied when migrating from the old software to the new. This meant that all related applications accessed through its Application Programming Interfaces (“APIs”) and respective identifiers, needed to be duly covered before and after the migration. However, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. As the webpage no longer had proper security policies in place, this allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data. Despite the clear risks involved in such a massive migration exercise, MBS had:

• made a single employee responsible;
• for manually compiling the list of API configurations;
• without due second layer checks.

MBS failed to discover and correct the omission for six months, leaving its’ patrons’ personal data unprotected. MBS’ failure to put in place proper processes to ensure the due implementation of its security policies post-migration was a negligent contravention of the Protection Obligation. As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data.

Enforcement Action
From 1 October 2022, Parliament raised the maximum financial penalty for large organisations with annual turnovers in Singapore of more than S$10 million, to 10% of their annual turnovers. This change was aimed at achieving more effective deterrent enforcement, signalling the importance of data protection in the digital economy.

PDPC imposed a financial penalty on MBS which accounts for the scale of the data breach which exposed the personal data of more than half a million patrons without their consent. PDPC also took into account MBS’ voluntary admission of liability, and its implementation of immediate remediation measures including reactivating security measures for the website on the same day.

Click here to find out more.